[Pkg-shadow-devel] [Git][debian/adduser][wip-comment1] 2 commits: add failing test to comment test10.pl

Marc Haber (@zugschlus) gitlab at salsa.debian.org
Tue May 6 18:26:08 BST 2025 


Marc Haber pushed to branch wip-comment1 at Debian / adduser


Commits:
48ca8ba8 by Marc Haber at 2025-05-06T19:24:56+02:00
add failing test to comment test10.pl

Git-Dch: ignore

- - - - -
dd3c9a8e by Marc Haber at 2025-05-06T19:25:22+02:00
check comment for control chars and :

Git-Dch: ignore

- - - - -


2 changed files:

- adduser
- testsuite/test10.pl


Changes:

=====================================
adduser
=====================================
@@ -357,6 +357,13 @@ if( defined $special_home ) {
     $special_home = sanitize_string( decode($charset, $special_home), simplepathre);
 }
 
+if ( defined $comment_tainted ) {
+    log_trace("check comment %s for unwanted chars", $special_home);
+    # do not sanitize, can't be done without libperl
+    if ( $comment_tainted !~ qr/^([^\x00-\x1F\x7F:]*)$/ ) {
+        die( "unwanted chars in comment" );
+    }
+}
 if( defined $special_shell ) {
     log_trace("sanitize special_shell");
     $special_shell = sanitize_string( decode($charset, $special_shell), simplepathre);
@@ -1480,7 +1487,7 @@ sub ch_comment {
 
     # untaint unconditionally. our call to system() is safe, so
     # we leave the check to usermod
-    if ($comment =~ qr/^(.*)$/ ) {
+    if ($comment =~ qr/^([^\x00-\x1F\x7F:]*)$/ ) {
         systemcall($usermod, '-c', $1, $name);
     } else {
         log_fatal("unconditional sanitize of comment failed. This should not happen.");


=====================================
testsuite/test10.pl
=====================================
@@ -9,18 +9,23 @@ my $comment;
 my $cmd;
 
 sub testusercomment {
-    my ($username, $comment) = @_;
+    my ($username, $comment, $fail_expected) = @_;
+    $fail_expected ||= 0;
     $cmd = 'adduser --comment="'. $comment. '" --home=/nonexistent --disabled-password '. "$username";
     if (!defined (getpwnam($username))) {
         print "Testing $cmd... ";
         `$cmd`;
         my $error = ($?>>8);
-        if ($error) {
-            print "failed\n  adduser returned an errorcode != 0 ($error)\n";
-            exit $error;
+        if( $fail_expected > 0 ) {
+            assert(check_user_not_exist ($username));
+        } else {
+            if ($error) {
+                print "failed\n  adduser returned an errorcode != 0 ($error)\n";
+                exit $error;
+            }
+            assert(check_user_exist ($username));
+            assert(check_user_comment ($username, $comment));
         }
-        assert(check_user_exist ($username));
-        assert(check_user_comment ($username, $comment));
 
     }
 
@@ -45,6 +50,7 @@ testusercomment($username, "Tom O\'Mälléy");
 testusercomment($username, "Tomaß O\'Mälléy");
 testusercomment($username, "Éom O\'Mälléy");
 testusercomment($username, "Éoœm O\'Mälléy");
+testusercomment($username, "Tom:Malley", 1);
 
 # vim: tabstop=4 shiftwidth=4 expandtab
 



View it on GitLab: https://salsa.debian.org/debian/adduser/-/compare/6842a9b50d567f60b0f12ff39ebb50ba1df30900...dd3c9a8e015902f54f310e1d37e8df56ad86b928

-- 
View it on GitLab: https://salsa.debian.org/debian/adduser/-/compare/6842a9b50d567f60b0f12ff39ebb50ba1df30900...dd3c9a8e015902f54f310e1d37e8df56ad86b928
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/attachments/20250506/0d26f266/attachment-0001.htm>

More information about the Pkg-shadow-devel mailing list